Uninstall Petya virus (Jun 2018 updated) - Uninstall Guide

Petya virus Removal Guide

Description of Petya virus

Petya virus blocks the access to your data and demands to pay a ransom

Petya virus

Cybersecurity specialists have discovered that a well known ransomware virus – Petya virus – has been recently updated. The latest its variant, Bad Rabbit, belongs to the same group of viruses. Thus, its primary mission is to encrypt confidential data and make it inaccessible for a victim unless he or she pays the ransom.

It seems that the virus targets German-speaking users, however, do not let your guard down thinking that you will escape the infection. It has also been noticed in almost every Europe's country.

Analysts have already recorded the victims — companies such as ‘Maersk’, ‘Roseneft’, ‘Saint — Gobain’, a few banks and power suppliers, as well as recently infected Odessa’s International Airport together with Russian media groups ‘Fontanka’ and ‘Interfax’.

If you wonder who hides underneath Petya, IT experts claim that they have found serious evidence of ‘MeDoc’ company being a primary ransomware distribution source. However, it still hasn't been proved at the moment.

If you have already fallen into the trap of this virus and are about to pay the money, do not proceed with the transaction! We offer you a solution – Petya removal. In order to eliminate it completely you might need an antispyware program. One of the trustworthy software is FortectIntego. Petya virus

Ransomware uses complex algorithms to encode files on your computer

There are quite intriguing facts about Petya ransomware. It has been observed that it uses RSA-4096 and AES-256 algorithms which are said to be used by state militaries for encoding top secret files. Unlike other major ransomware threats, the virus forcefully restarts your operating system.

Once the computer is rebooted, the notification emerges declaring:


This warning appears due to the fact that the virus is encrypting your files. Thus, it alarms you not to interrupt the process. Convinced that it is a system error, you wait several minutes until ‘PRESS ANY KEY’ appears on the screen. It only takes a blink of an eye until you go spare after realising that all your highly essential documents and files are encrypted.

Moreover, the ransom note sets the time period within which you are obligated to pay a 0.9 Bitcoin ransom which equals to $400. Cybersecurity experts have already reported that the criminals changed their conditions and the value of the payment decreased to $300.

Moreover, you should be aware that data encryption is not the only feature of the ransomware. Unlike other malware, Petya is designed to modify computer’s master boot record (MBD) settings. Thus, the only way to remove the ransomware is to restore them.

While many might think that malware elimination works as a decryption process as well, remember, that in most of the situations a decryption key is necessary to regain access to your files. However, in this case, even it won’t help — Petya is not able to maintain required correspondence with Command/Control servers. In other terms, victims are not identified with specific numbers which are later used to match them with proper decryption keys.

Thus, malware experts defined the ransomware as a data wiper, since it generates useless random numbers/characters instead of providing a specific decryption key. In spite of that, you should not meet cybercriminals’ expectations and rush to remove Petya because even if you pay the ransom, your files will remain encrypted.

If you haven’t enabled a function on your computer to automatically store backup copies in the cloud, you can try alternative recovery methods provided at the end of this article. IT professionals finally developed a decryptor that can be acquired as a CD disk or as windows executable file. Read instructions below in order to find out how to use it.

However, our team informs you that the victims who suffered from PetyaWrap or EternalPetya versions of the parent program, will not be able to recover their files with the decryptor.

Petya virus

New versions of Petya:

Bad Rabbit ransomware virus. Since October 2017, the virus has been distributed as a fake Adobe Flash Player Update. Some IT experts warn that it also spreads with a Diskcoder.D’s name. Recorded victims are mostly located in Russia and Ukraine together with neighbor countries — Bulgaria and Turkey.

The key features of the malware are: The usage of the optimal mix of AES and RSA algorithms and .encrypted extension appended at the end of the file-name. Besides, victims are demanded to pay 0.05 Bitcoin ransom and faces a risk to expose their credentials.

Mamba ransomware. This extremely malicious program targets German companies and stealthily infiltrates onto computers. The victims are not able to detect the malware since it imitates regular processes while secretly corrupting data. It has been noticed spreading via spam emails or fake updates of regular programs.

Experts noted that hackers used Salsa20 algorithm to encrypt data on the computer. This new feature got rid of vulnerabilities discovered in previous Petya versions. Once installed, the ransomware insists on paying an enormous 1 BTC ransom.

GoldenEye ransomware virus. This malware operates similarly to its original version. It detects whether User Account Control (UAC) is not secured correctly and infects the system. To circumvent highly-protected UACs, the ransomware continuously generates a pop-up asking to give administrative rights and if agreed, launches the malware.

Afterwards, YOUR_FILES_ARE_ENCRYPTED.TXT file is created, stating that the victim has to pay a 1.3 BTC ransom in order to recover its data. Criminals use AES encryption method to attack their victims.

Petrwrap ransomware. Even though this malware is not directly developed by the same group of hackers, the creators exploited Petya’s code in order to obtain revenue illegally. The ransomware is based on the replaced ECDH algorithm of the parent program. Experts say that 2000 computers have been infected already and the number is only increasing.

To infiltrate the virus hackers use vulnerable RDP networks together with the psExec tool. One of the main differences of this version is that it remains silents for 1.5 hours before starting the encryption.

Misha ransomware. This malicious program started its activity in May 2016, when Janus Cybercrime Solutions campaign invited other criminals to reinforce Petya developers. This is another way how hackers generate revenue since there is an entrance fee. The value of the ransom exceeds 1.93 BTC. Thus criminals share huge profits from distributing the malware.

Another important detail is that victims are asked to use a Tor browser in order to gain further information on how to decrypt their files. The ransomware employs AES and CBC encryption algorithms to perform an attack. Petya virus

Malicious program spreads via corrupted Dropbox links and fake Adobe Flash update

Before proceeding to the removal part, it is vital to be aware of the transmission methods. IT experts have detected that the ransomware spreads via infected email attachments. Once criminals updated Petya virus, they provided wowsmith123456@posteo.net e-mail address to receive further information about payments. However, be wary that it might come in either format.

Furthermore, the virus is spotted traveling via Dropbox link with ‘application folder-gepackt.exe’ attached. After you open it, the virus starts its dreadful job. Recent reports inform that new versions of this ransomware use the CVE-2017-0199 Office RTF vulnerability to infect the systems. Now you know one of the leading channels how Petya malware might attack you. Likewise, it is crucial to be extremely cautious opening the emails received from unknown senders.

Moreover, one of your acquaintances might be infected with the virus. With the help of a malicious computer worm, the virus might come hidden under a file which was seemingly sent from your friend. All in all, it doesn’t take much time to inquire him or her directly. As a result, you can minimize the risk of getting infected with Petya virus.

Additionally, our team suggests downloading MS17-010 and other Microsoft patches to fix SMB vulnerability that is discovered as being exploited by different versions of the ransomware. Of course, use a powerful antispyware application, this way you will fully protect your system from malevolent programs. Petya virus

A reliable security software can help you get rid of Petya virus

You should take into account that the ransomware has a significantly complex and exquisite structure so eliminating it by yourself might turn into quite a challenge. If you are prepared to remove Petya, you might perform elimination by following the instructions delivered by IT specialists. However, you will need to pay attention and follow each step with utmost precision.

Alternatively, there is another choice – automatic Petya removal. For that purpose, it is necessary to choose a powerful anti-spyware program. Mostly, all of them are created to block and delete various sorts of malware, including ransomware as well.

Additionally, you will need to check regularly whether the software is updated. This is crucial since the program requires to maintain proper protection of your operating system and block you from future virus assaults. Lastly, we remind you to back up your files regularly and cautiously reading emails.

try it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Security Tools
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Security Tools
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Petya virus. Follow these steps

In-depth guide for the Petya elimination

Important! →
The elimination guide can appear too difficult if you are not tech-savvy. It requires some knowledge of computer processes since it includes system changes that need to be performed correctly. You need to take steps carefully and follow the guide avoiding any issues created due to improper setting changes. Automatic methods might suit you better if you find the guide too difficult.

Step 1. Launch Safe Mode with Networking

Safe Mode environment offers better results of manual virus removal

Windows 7 / Vista / XP
  1. Go to Start.
  2. Choose Shutdown, then Restart, and OK.
  3. When your computer boots, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) a few times until you see the Advanced Boot Options window.
  4. Select Safe Mode with Networking from the list.
    Safe Mode option
Windows 10 / Windows 8
  1. Right-click the Start button and choose Settings.
    Settings of the system
  2. Scroll down to find Update & Security.
    Update & security section in settings
  3. On the left, pick Recovery.
  4. Scroll to find Advanced Startup section.
  5. Click Restart now.
  6. Choose Troubleshoot.
  7. Go to Advanced options.
    Troubleshooting options
  8. Select Startup Settings.
    Advanced section
  9. Press Restart.
    Choose the Safe Mode
  10. Choose 5) Enable Safe Mode with Networking.

Step 2. End questionable processes

You can rely on Windows Task Manager that finds all the random processes in the background. When the intruder is triggering any processes, you can shut them down:

  1. Press Ctrl + Shift + Esc keys to open Windows Task Manager.
  2. Click on More details.
    More options of Task manager
  3. Scroll down to Background processes.
  4. Look for anything suspicious.
  5. Right-click and select Open file location.
    Task manager
  6. Go back to the Process tab, right-click and pick End Task.
  7. Delete the contents of the malicious folder.

Step 3. Check the program in Startup

  1. Press Ctrl + Shift + Esc on your keyboard again.
  2. Go to the Startup tab.
  3. Right-click on the suspicious app and pick Disable.
    Disable process

Step 4. Find and eliminate virus files

Data related to the infection can be hidden in various places. Follow the steps and you can find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup option
  2. Select the drive (C: is your main drive by default and is likely to be the one that has malicious files in) you want to clean.
  3. Scroll through the Files to delete and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Choose the disk clean up
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Eliminate Petya using System Restore

  • Step 1: Restart your computer in Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Go to Start Shutdown Restart OK.
    2. As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
    3. Choose Command Prompt from the list Choose 'Safe Mode with Command Prompt' option

    Windows 10 / Windows 8
    1. Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
    2. Then select Troubleshoot Advanced options Startup Settings and click Restart.
    3. Once your computer starts, select Enable Safe Mode with Command Prompt from the list of options in Startup Settings. Choose 'Enable Safe Mode with Command Prompt' option
  • Step 2: Perform a system restore to recover files and settings
    1. When the Command Prompt window appears, type in cd restore and press Enter. Type 'cd restore' without quotes and hit 'Enter'
    2. Then type rstrui.exe and hit Enter.. Type 'rstrui.exe' without quotes and hit 'Enter'
    3. In a new window that shows up, click the Next button and choose a restore point that was created before the infiltration of Petya and then click on the Next button again. When 'System Restore' wizard comes up, click 'Next'. Choose a preferable restore point and click 'Next'
    4. To start system restore, click Yes. Hit 'Yes' and start system restore
    After restoring the computer system to an antecedent date, install and check your computer with FortectIntego to uncover any remains of Petya.

It is strongly recommended to take precautions and secure your computer from malware attacks. To protect your PC from Petya and other dangerous viruses, you should install and keep a powerful malware removal tool, for instance, FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes.

How to prevent from getting ransomware

Prevent the government from spying on you

As there is a growing debate in government about collecting users' data and spying on citizens, you should take a closer look at this issue and find out what shady ways of gathering information can be used to collect information about you. You need to browse anonymously if you want to avoid any government-initiated spying and tracking of information. 

You can enjoy secure internet browsing and minimize the risk of intrusion into your system if you use Private Internet Access VPN program. This VPN application creates a virtual private network and provides access to the required data without any content restrictions.

Control government and other third party access to your data and ensure safe web browsing. Even if you do not engage in illegal activities and trust your ISP, we recommend being careful about your security. You should take extra precautions and start using a VPN program.

Recover files damaged by a dangerous malware attack

Despite the fact that there are various circumstances that can cause data to be lost on a system, including accidental deletion, the most common reason people lose photos, documents, videos, and other important data is the infection of malware.

Some malicious programs can delete files and prevent the software from running smoothly. However, there is a greater threat from the dangerous viruses that can encrypt documents, system files, and images. Ransomware-type viruses focus on encrypting data and restricting users’ access to files, so you can permanently lose personal data when you download such a virus to your computer.

The ability to unlock encrypted files is very limited, but some programs have a data recovery feature. In some cases, the Data Recovery Pro program can help recover at least some of the data that has been locked by a virus or other cyber infection.

About the author
Lucia Danes
Lucia Danes - Virus researcher

If you found this free tutorial helpful, please consider making a donation to support us. Even the smallest amount will be appreciated and will help to keep this service alive.

Contact Lucia Danes
About the company Esolutions

Uninstall guides in different languages